Category: Threat hunting presentation

An overwhelming increase in sophisticated and targeted attacks from threat actors, or even nation-states such as Iran, China and Russia, have made threat-hunting services necessary for organizations and even governments to stay one step ahead of threats.

Adversaries try their level best to perform reconnaissance with hopes of penetrating corporate networks and exploiting systems without detection. In response, organizations require a proactive and iterative threat-hunting program that should be ranked highly for precision and sophistication. In this article, we will explore ten steps covering how to conduct such an effective and reliable threat-hunting campaign.

When your company decides to conduct a threat-hunting program, it has two options — either in-house or outsourced. In-house threat hunting involves threat hunters from within the organization without hiring the services of a third-party or outsourcer.

threat hunting presentation

In this situation, the company should possess a sufficient talent pool to conduct a threat hunt itself. For example, your own threat-hunting team should have the ability to deal with Advanced Persistent Threats APTs carried out by adversaries. In fact, outsourcing is the agreement whereby one organization hires another organization to get its specific tasks or projects done. In the case of threat hunting, one company will hire threat hunters from another company on an ad-hoc basis.

These outsourced threat hunters will remain associated with the company until a threat-hunting program is completed successfully. Whether you start threat hunting in-house or outsourced, the best threat-hunting campaign begins with proper planning. You must plan which processes will be executed to conduct your threat-hunting program. These processes are designed to discern not only what you have, but also the data sources that are misconfigured or missing. You cannot secure what you do not know exists!

Next, analysts must develop a hypothesis by identifying the results they expect from the hunting campaign. A fileless malware or fileless infection is malicious coding that exists only in memory rather than on the hard drive of the targeted system.

Attackers use attacking tools such as PowerShell to carry out this fileless malware. Testing every PowerShell process can be a time-consuming, frustrating and daunting task. Therefore, analysts should make smart choices and collect only that information which provides meaningful outcomes.

The analysts should develop a wise approach to test the hypothesis without reviewing every event. Data gathering is a vital process that involves the collection, normalization, and analysis of critical data. However, identifying what should be logged can be a Gordian knot. Collecting all types of logs is not a prudent approach, as it is a time-consuming process that further creates annoying and pesky noise.

Data retention is the essential component of any logging policy.This year, memory forensics has evolved once more, and the Volatility team talked to us about using it to be more proactive than reactive in incident response.

Similarly, a motivated attacker, who has been extracted from a network, is going to continue to try to find other ways to get back into the organization and, if successful, they will often adapt their tactics. As a result, these organizations are starting to leverage their incident response teams to perform proactive threat hunting. The advantage with these efforts is that organizations are not only more likely to find attackers hiding within their infrastructure, but they are also gaining valuable insight into what is normally happening.

A critical part of these new approaches is the ability to rapidly learn what attackers are doing in your environment and then quickly extend your forensics arsenal to detect their evolving tactics. The presentation will discuss a couple of case studies to demonstrate how these techniques are being used in real investigations involving targeted threat groups. It will also discuss new Volatility plugins that were developed during these investigations.

BT: What is the 2-line reason why a practitioner should attend your talk — what will they learn? VT: The presentation will discuss tactics and strategies that allow organizations to deal with the challenges associated with advanced adversaries.

It will also discuss why open source tools, such as Volatility, are a critical component in the battle against modern threats. BT: What brought you into the digital forensics domain? What is your favorite aspect of digital forensics?

It was during this time that we also began to see widespread examples of memory resident malware, including both Code Red and SQL Slammer, and kernel-level rootkits were undermining most live response scripts.

The Metasploit community and its developers were also pushing the state of the art in anti-forensics and stealthy exploitation techniques. As an alternative, we wanted to create a project that would help bring together technical talent in the forensics and incident response communities. We also wanted to create a unifying framework that would bring together academics, practitioners, government, and law enforcement from around the world.

We felt it was important to create a platform where the latest cutting edge research being presented at academic conferences could be immediately transitioned into the hands of digital investigators.

What is osp cable

VT: One of the unique aspects of the Volatility team is that the majority of the researchers and developers are also active practitioners. This includes incident responders, malware analysts, reverse engineers, threat intelligence analysts, and digital investigators. As a result, we are building the tools that we actually use during our investigations.

During these investigations, we often encounter attackers who are leveraging innovative techniques to hide from off the shelf security and forensics tools.

threat hunting presentation

We firmly believe the most effective way of dealing with these threats is with creative analysts who have the ability to rapidly adapt their tools to the evolving threats. Open source forensics tools give you the ability to look into the code to understand what is happening and understand the assumptions that are built into the tools.

Finally, you have the ability to build on the research of the community and extend the capabilities to do something new and exciting. In fact, it is one of the only times during the year when the Volatility team is able to meet up in person. As a result, we get a lot of valuable feedback about memory analysis challenges people are experiencing and gain insight into features users would like to see in future releases.

VT: It is definitely one of the most exciting times in Volatility development. There are a number of interesting projects focused on developing new analysis capabilities and new techniques for detecting suspicious activity using previously unknown artifacts that can only be found memory.By Yaron Sheffer on Feb 28, By Michael Daniel on Feb 28, Manage Email Preferences.

All Rights Reserved. Other trademarks may be trademarks of their respective owners. Watch Video. Posted on Mar 07, to Presentations. With attacks always changing, threat hunting in a massive environment can be an overwhelming endeavor! This session will show how to hunt for threats in a way that transcends attack specifics, using the numbers to your advantage to uncover unique and unusual machine behaviors.

This practical method that can be leveraged in almost any environment, and can be applied to network and endpoint data. Learning Objectives: 1: Understand the challenge of threat hunting in a massive environment. Pre-Requisites: Attendees should have a basic understanding of networking and security threats. Database experience would be beneficial, but not required. The session will be most relevant and beneficial to those in a threat hunting or incident response role.

Presenters Vernon Habersetzer Sr. Enterprise Technical Expert Walmart. Presentation USA Consider this: No system is absolutely protected from cyberthreats. Even in the case where the best, most recent and effective security solutions are in place, there is always the chance cybercriminals will develop a new form of attack that can bypass layer after layer of protection controls. As expected, this is no simple task; hunting for cybercriminals will require an experienced team, lots of data such as logs from network devices, servers and endpointsa solution for centralizing data collection and analysis, and actionable knowledge about threats to an environment.

With all these variables and requirements, it is essential to adequately manage all the threat-hunting elements. Otherwise the hunt effectiveness can suffer a great deal, leading to a false sense of security, while cybercriminals reign unopposed.

Hunting with Splunk: The Basics

The best solution is understanding the threat-hunting process. Here are five simple steps that will ensure your hunt is a success. Before starting to proactively hunt cyberthreats, it is necessary to confirm that the essentials are in place: the hunter, the data and the tools.

Threat hunting should not be alert-based.

Understanding Cyber Threat Hunting

It is a proactive process that must provide the answers to high-level questions defined by the cybersecurity leadership. So, after the preparations phase is complete, the next logical step is defining what you are hunting for. Ideally this should come in the form of a custom, context-driven hypothesis, creating what is called prioritized intelligence requirements PIR.

From a cybersecurity point of view, it is quite similar, as it represents what the CISO wants to know about cyber threats.

Edgerouter snmp telegraf

A good PIR should be focused, specific and directly related to a decision regarding the security strategy. Based on this hypothesis, a hunter can start tracking their prey, and that takes us to the next step.

Now that the hunter has strategic instructions PIRit is time to translate this into specific information requirements SIR and start hunting. For example, a hunter trying to confirm the hypothesis of an endpoint being controlled by a remote party could start by checking network traffic abnormalities, such as increased DNS queries from a single host.

This can be quite a challenge, considering the number of logs to be analyzed and the fact that most attacks make use of advanced techniques to remain concealed, such as encoding and encryption, or splitting an attack payload into multiple small packets. The hunter will work with the security team to create the best response. This should include both short-term and long-term remediation. In essence, the goal is immediately stopping the attack, and taking action to make sure it will not happen again — either to the affected host or other, similar devices.

A key point here is understanding how an attacker gained access: What sort of vulnerability was exploited?

8 Steps to Start Threat Hunting

Was there a faulty firewall rule? Why did the IPS did not detect the attack? Was it a new zero-day attack?

threat hunting presentation

Are there missing patches that could have prevented the problem? Is it an isolated attack or only a part of an ongoing campaign against the company? Answering those questions can take some time, and one particularly key point is making sure not to lose the focus on stopping the current attack.However, at the real world, there are many victims suffering from very stupid mistakes.

Through a couple of examples, I will talk about TI and AI in real practices, and crowd defense - a way to integrate defense measures against both targeted and untargeted attacks, avoiding being the low hanging fruit. Finally, I will conclude with best practices around TI based crowd defense and corresponding challenges that need collective efforts. His research interests include threat intelligence, software defined security, security metrics, cyber insurance, etc.

He is a network security veteran with over 20 years of professional experience. He was honored by Ron Knode Award at In his spare time, he likes to play GO. Liang obtained his Ph. Lessons learned in the track hit on security, scalability, IoT, and offer warnings to watch out for. Pushing DevOps beyond adoption into cultural change. Failure is going to happen - Are you ready? Chaos engineering is an emerging discipline - What is the state of the art?

Intro: What is Cyber Threat Detection?

Success as an engineer is more than writing code. Learn about machine learning in practice and on the horizon. Compile to Native, Microservices, Machine learning Topics include category theory, crypto, CRDT's, logic-based automated reasoning, and more.

Real world, applied performance proofs across stacks. Hear performance consideratiosn for. Learn performance use cases with OpenJ9, Instagram, and Netflix. It's a platform. Push your knowledge. Beyond being an individual contributor. Building and Evolving managers and tech leadership. Why engineering culture matters.With a solid architecture, a library of customisable forensic artifacts and its own unique and flexible query language, Velociraptor provides the next generation in endpoint monitoring, digital forensic investigations and cyber incident response.

At the press of a few buttons, perform targeted collection of digital forensic evidence simultaneously across your endpoints, with speed and precision. Continuously collect endpoint events such as event logs, file modifications and process execution. Centrally store events indefinitely for historical review and analysis. Don't wait until an event occurs. Actively search for suspicious activities using our library of forensic artifacts, then customize to your specific threat hunting needs.

When serious events occur on an endpoint, trigger an automated response to collect evidence, silently block malicious activity or lock-down endpoints entirely. As an open source platform, Velociraptor continues to evolve and improve through feedback and input from practitioners on the front lines of cyber security and digital forensic investigations.

As your needs change, so can Velociraptor. Velociraptor works natively on Windows, macOS and Linux. It's distributed as a static binary with no libraries or dependencies. You can create a server within minutes and easy deploy clients using SCCM or Group Policy, even run in agentless mode.

The Velociraptor Query Language VQL is an expressive query language designed to adapt to your requirements easily and without needing to modify any code nor deploy additional software. VQL encapsulates digital forensic expertise into human readable files called 'artifacts' which can be shared and exchanged freely within the community.

Velociraptor is being actively developed by Velocidex Enterprises, an established business entity providing professional services, custom development and training to organizations who require a higher level of commercial support.

Velociraptor is built by digital forensic and incident response practitioners and used on real-world investigations every day. As we encounter new challenges and requirements, we develop new features and artifacts, which are contributed back into the project, for the benefit of the whole community.

We know that performance is critical and operational impact must be minimized. Velociraptor provides real-time performance monitoring and endpoint throttling to run more intense hunts 'low and slow' thereby minimizing any operational impact.

Lead by industry experts with over 20 years of proven experience in developing digital forensic software and using it successfully in thousands of real-life DFIR cases.

Fiorano modenese

Our team are trusted advisors to hundreds of clients across Australia and internationally, providing digital forensic services on the most sensitive cases.

We provide both in-house and online professional services and training to support deployment and use of Velociraptor across your networks. Velocidex Enterprises was founded by well established industry professionals with many years of proven expertise in the development of digital forensic software and its use to support a wide range of digital forensic investigations and cyber breach response cases.

Velociraptor aims to provide the "last step" in the process of digital forensic investigations, security monitoring and threat hunting. We already know a great deal about how to investigate computer systems and monitor for malicious activities. Velociraptor aims to encapsulate this industry knowledge and empower both experts and novices to leverage it, to collect and analyze evidence of malicious activities with speed and precision. Mike is a renowned digital forensic researcher and senior software engineer.

Mike is our "Digital Paleontologist" and brings his years of expertise to the role of principal developer of Velociraptor. Learn how Download Latest. Dig deeper. Interrogate your endpoints with speed and precision. Watch How Download Latest. Go hunting.

Threat Hunting Presentation & Demo

Harness digital forensic expertise to proactively find suspicious activities. Stop attackers in their tracks. Monitor for dangerous events and respond with accuracy and flexibility. Investigate Discover Respond.This principle is based on the idea that 80 percent of cyberthreat actors are generally unsophisticated, while the other 20 percent are so advanced that, given enough time and resources, they could break in to any network.

Historically, the defense and intelligence community was primarily concerned about the top 20 percent of cyberattackers. Today, however, the emergence of commoditized malware has made advanced techniques available to traditionally unsophisticated attackers.

For example, inthe WebAttacker exploit kit packaged up a suite of tools that any threat actor could operate. Most security practitioners understand that good hygiene and perimeter security will mitigate the bottom 80 percent of attackers. In a security operations center SOCblocking and tackling techniques can address up to 90 percent of these attackers. But what about that final 10 percent? This is the domain of threat hunting, where a human analyst can investigate data sources for evidence of a threat that a machine cannot detect alone.

For example, an analyst looking for anomalies can uncover indicators of an adversary executing portions of the attacker kill chain and stop it prior to actions on the objective.

The basic foundation of threat hunting requires a security information and event management SIEM solution, which properly aggregates internal structured data within a network.

Prayers to fix a relationship

Threat intelligence feeds allow organizations to compare external threat indicators and understand the threat landscape. Two new pieces added to this puzzle are statistical analysis engines and intelligence analysis tools. Statistical analysis enables analysts to find anomalies based on mathematical patterns, not rules engines. Intelligence analysis tools allow relational data to be visualized so analysts can pivot connections off entities, links and properties.

The threat analyst is the practitioner of threat hunting. This individual, often called a tier 3 analyst, has skills related to information security, forensic science and intelligence analysis.

The combination of these skills enables tier 3 analysts to proactively discover threats based on intelligence requirements and move directly into investigations. The most important starting point when executing threat hunting is establishing prioritized intelligence requirements PIR. These are essentially high-level questions that leaders want answered.

This would then lead to the generation of specific information requirements SIR to help answer the following questions:.

English section 1

These questions guide the threat hunter to important intelligence that can be used to address high-level questions and disrupt sophisticated, previously unknown attacks.

Companies that are new to threat hunting should start with basic versions of the concepts listed above and add in more capabilities as they mature. With the right mix of technology, personnel and actionable threat intelligence, organizations can fill in their security gaps and protect their networks from malicious actors hiding in the noise. Watch the on-demand webinar: Why you need to be hunting cyber threats.

Security Intelligence. A New Paradigm for Threat Hunting Historically, the defense and intelligence community was primarily concerned about the top 20 percent of cyberattackers. Your network will be compromised. Share this article. Press play to continue listening.


thoughts on “Threat hunting presentation

Leave a Reply

Your email address will not be published. Required fields are marked *